Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
109s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20/10/2024, 22:31
Static task
static1
Behavioral task
behavioral1
Sample
95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe
Resource
win10v2004-20241007-en
General
-
Target
95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe
-
Size
194KB
-
MD5
8467fa7e163a2b69bbcfb023641aa440
-
SHA1
020d3100037b97b9e7d82416b57f644d5f116ca7
-
SHA256
95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290c
-
SHA512
2636a919a32079380f04e47a9988903c2cc3184ba925c266d2e64ff60378579707fce353c9a69057b17399c0a4640aae8739c29cb7e6a9042c25ec7d20a1ebe2
-
SSDEEP
3072:BU9xsZhI7T4Mdew/MCgXFjT2A0SBsHS4J8h1F9yMwh5oHefi+pZIG:BU8h0T4MdeGMBX98WFnh1W3bfLp+
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Renames multiple (72) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation xoEoMkQo.exe -
Executes dropped EXE 2 IoCs
pid Process 4768 xoEoMkQo.exe 2644 pWEYIMQs.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\eQAkQcoo.exe = "C:\\Users\\Admin\\YGoswEoY\\eQAkQcoo.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Veokogws.exe = "C:\\ProgramData\\qIgcssEE\\Veokogws.exe" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xoEoMkQo.exe = "C:\\Users\\Admin\\ueMcoUsA\\xoEoMkQo.exe" 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pWEYIMQs.exe = "C:\\ProgramData\\fGoIwkok\\pWEYIMQs.exe" 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xoEoMkQo.exe = "C:\\Users\\Admin\\ueMcoUsA\\xoEoMkQo.exe" xoEoMkQo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pWEYIMQs.exe = "C:\\ProgramData\\fGoIwkok\\pWEYIMQs.exe" pWEYIMQs.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\shell32.dll.exe xoEoMkQo.exe File opened for modification C:\Windows\SysWOW64\shell32.dll.exe xoEoMkQo.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 4444 1864 Process not Found 1794 5036 1044 Process not Found 1795 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Modifies registry key 1 TTPs 64 IoCs
pid Process 4828 reg.exe 1796 reg.exe 5064 reg.exe 1384 reg.exe 972 reg.exe 996 reg.exe 2260 reg.exe 2108 Process not Found 4912 reg.exe 4464 reg.exe 4896 Process not Found 3996 reg.exe 1884 reg.exe 3904 reg.exe 3976 Process not Found 5092 Process not Found 3680 reg.exe 5072 reg.exe 1972 reg.exe 3892 reg.exe 1044 reg.exe 1988 reg.exe 3204 reg.exe 4808 reg.exe 3784 reg.exe 660 Process not Found 3552 reg.exe 4360 reg.exe 4812 reg.exe 4544 Process not Found 1044 reg.exe 2108 reg.exe 2156 reg.exe 3264 reg.exe 4048 reg.exe 3568 reg.exe 4024 Process not Found 4648 reg.exe 4996 reg.exe 3240 Process not Found 5080 reg.exe 316 Process not Found 4940 reg.exe 1404 reg.exe 2052 reg.exe 3284 reg.exe 1056 reg.exe 2156 reg.exe 1220 Process not Found 4008 reg.exe 3752 reg.exe 4108 reg.exe 1044 reg.exe 4876 reg.exe 4324 reg.exe 4840 reg.exe 4552 reg.exe 3476 reg.exe 2272 reg.exe 2272 reg.exe 3664 reg.exe 1864 reg.exe 3932 reg.exe 4468 Process not Found -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1248 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe 1248 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe 1248 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe 1248 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe 4204 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe 4204 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe 4204 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe 4204 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe 3748 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe 3748 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe 3748 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe 3748 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe 5056 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe 5056 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe 5056 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe 5056 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe 436 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe 436 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe 436 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe 436 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe 5020 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe 5020 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe 5020 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe 5020 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe 1516 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe 1516 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe 1516 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe 1516 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe 2272 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe 2272 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe 2272 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe 2272 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe 5028 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe 5028 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe 5028 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe 5028 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe 2832 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe 2832 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe 2832 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe 2832 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe 4092 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe 4092 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe 4092 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe 4092 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe 4180 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe 4180 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe 4180 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe 4180 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe 4232 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe 4232 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe 4232 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe 4232 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe 4608 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe 4608 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe 4608 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe 4608 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe 2968 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe 2968 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe 2968 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe 2968 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe 4640 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe 4640 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe 4640 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe 4640 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4768 xoEoMkQo.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4768 xoEoMkQo.exe 4768 xoEoMkQo.exe 4768 xoEoMkQo.exe 4768 xoEoMkQo.exe 4768 xoEoMkQo.exe 4768 xoEoMkQo.exe 4768 xoEoMkQo.exe 4768 xoEoMkQo.exe 4768 xoEoMkQo.exe 4768 xoEoMkQo.exe 4768 xoEoMkQo.exe 4768 xoEoMkQo.exe 4768 xoEoMkQo.exe 4768 xoEoMkQo.exe 4768 xoEoMkQo.exe 4768 xoEoMkQo.exe 4768 xoEoMkQo.exe 4768 xoEoMkQo.exe 4768 xoEoMkQo.exe 4768 xoEoMkQo.exe 4768 xoEoMkQo.exe 4768 xoEoMkQo.exe 4768 xoEoMkQo.exe 4768 xoEoMkQo.exe 4768 xoEoMkQo.exe 4768 xoEoMkQo.exe 4768 xoEoMkQo.exe 4768 xoEoMkQo.exe 4768 xoEoMkQo.exe 4768 xoEoMkQo.exe 4768 xoEoMkQo.exe 4768 xoEoMkQo.exe 4768 xoEoMkQo.exe 4768 xoEoMkQo.exe 4768 xoEoMkQo.exe 4768 xoEoMkQo.exe 4768 xoEoMkQo.exe 4768 xoEoMkQo.exe 4768 xoEoMkQo.exe 4768 xoEoMkQo.exe 4768 xoEoMkQo.exe 4768 xoEoMkQo.exe 4768 xoEoMkQo.exe 4768 xoEoMkQo.exe 4768 xoEoMkQo.exe 4768 xoEoMkQo.exe 4768 xoEoMkQo.exe 4768 xoEoMkQo.exe 4768 xoEoMkQo.exe 4768 xoEoMkQo.exe 4768 xoEoMkQo.exe 4768 xoEoMkQo.exe 4768 xoEoMkQo.exe 4768 xoEoMkQo.exe 4768 xoEoMkQo.exe 4768 xoEoMkQo.exe 4768 xoEoMkQo.exe 4768 xoEoMkQo.exe 4768 xoEoMkQo.exe 4768 xoEoMkQo.exe 4768 xoEoMkQo.exe 4768 xoEoMkQo.exe 4768 xoEoMkQo.exe 4768 xoEoMkQo.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1248 wrote to memory of 4768 1248 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe 84 PID 1248 wrote to memory of 4768 1248 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe 84 PID 1248 wrote to memory of 4768 1248 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe 84 PID 1248 wrote to memory of 2644 1248 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe 85 PID 1248 wrote to memory of 2644 1248 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe 85 PID 1248 wrote to memory of 2644 1248 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe 85 PID 1248 wrote to memory of 4460 1248 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe 86 PID 1248 wrote to memory of 4460 1248 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe 86 PID 1248 wrote to memory of 4460 1248 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe 86 PID 1248 wrote to memory of 4380 1248 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe 88 PID 1248 wrote to memory of 4380 1248 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe 88 PID 1248 wrote to memory of 4380 1248 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe 88 PID 1248 wrote to memory of 4464 1248 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe 89 PID 1248 wrote to memory of 4464 1248 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe 89 PID 1248 wrote to memory of 4464 1248 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe 89 PID 1248 wrote to memory of 1372 1248 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe 90 PID 1248 wrote to memory of 1372 1248 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe 90 PID 1248 wrote to memory of 1372 1248 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe 90 PID 1248 wrote to memory of 2108 1248 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe 91 PID 1248 wrote to memory of 2108 1248 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe 91 PID 1248 wrote to memory of 2108 1248 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe 91 PID 4460 wrote to memory of 4204 4460 cmd.exe 92 PID 4460 wrote to memory of 4204 4460 cmd.exe 92 PID 4460 wrote to memory of 4204 4460 cmd.exe 92 PID 2108 wrote to memory of 2920 2108 cmd.exe 97 PID 2108 wrote to memory of 2920 2108 cmd.exe 97 PID 2108 wrote to memory of 2920 2108 cmd.exe 97 PID 4204 wrote to memory of 3572 4204 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe 99 PID 4204 wrote to memory of 3572 4204 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe 99 PID 4204 wrote to memory of 3572 4204 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe 99 PID 4204 wrote to memory of 4648 4204 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe 101 PID 4204 wrote to memory of 4648 4204 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe 101 PID 4204 wrote to memory of 4648 4204 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe 101 PID 4204 wrote to memory of 1672 4204 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe 102 PID 4204 wrote to memory of 1672 4204 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe 102 PID 4204 wrote to memory of 1672 4204 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe 102 PID 4204 wrote to memory of 4532 4204 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe 103 PID 4204 wrote to memory of 4532 4204 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe 103 PID 4204 wrote to memory of 4532 4204 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe 103 PID 4204 wrote to memory of 916 4204 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe 104 PID 4204 wrote to memory of 916 4204 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe 104 PID 4204 wrote to memory of 916 4204 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe 104 PID 3572 wrote to memory of 3748 3572 cmd.exe 106 PID 3572 wrote to memory of 3748 3572 cmd.exe 106 PID 3572 wrote to memory of 3748 3572 cmd.exe 106 PID 916 wrote to memory of 4340 916 cmd.exe 110 PID 916 wrote to memory of 4340 916 cmd.exe 110 PID 916 wrote to memory of 4340 916 cmd.exe 110 PID 3748 wrote to memory of 3900 3748 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe 111 PID 3748 wrote to memory of 3900 3748 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe 111 PID 3748 wrote to memory of 3900 3748 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe 111 PID 3900 wrote to memory of 5056 3900 cmd.exe 113 PID 3900 wrote to memory of 5056 3900 cmd.exe 113 PID 3900 wrote to memory of 5056 3900 cmd.exe 113 PID 3748 wrote to memory of 3936 3748 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe 114 PID 3748 wrote to memory of 3936 3748 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe 114 PID 3748 wrote to memory of 3936 3748 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe 114 PID 3748 wrote to memory of 3244 3748 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe 115 PID 3748 wrote to memory of 3244 3748 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe 115 PID 3748 wrote to memory of 3244 3748 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe 115 PID 3748 wrote to memory of 4404 3748 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe 116 PID 3748 wrote to memory of 4404 3748 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe 116 PID 3748 wrote to memory of 4404 3748 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe 116 PID 3748 wrote to memory of 5008 3748 95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe 117
Processes
-
C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe"C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Users\Admin\ueMcoUsA\xoEoMkQo.exe"C:\Users\Admin\ueMcoUsA\xoEoMkQo.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:4768
-
-
C:\ProgramData\fGoIwkok\pWEYIMQs.exe"C:\ProgramData\fGoIwkok\pWEYIMQs.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2644
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4460 -
C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exeC:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4204 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"4⤵
- Suspicious use of WriteProcessMemory
PID:3572 -
C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exeC:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3748 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"6⤵
- Suspicious use of WriteProcessMemory
PID:3900 -
C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exeC:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN7⤵
- Suspicious behavior: EnumeratesProcesses
PID:5056 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"8⤵PID:4760
-
C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exeC:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN9⤵
- Suspicious behavior: EnumeratesProcesses
PID:436 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"10⤵
- System Location Discovery: System Language Discovery
PID:3492 -
C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exeC:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN11⤵
- Suspicious behavior: EnumeratesProcesses
PID:5020 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"12⤵PID:2060
-
C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exeC:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN13⤵
- Suspicious behavior: EnumeratesProcesses
PID:1516 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"14⤵PID:4632
-
C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exeC:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN15⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2272 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"16⤵PID:2052
-
C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exeC:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN17⤵
- Suspicious behavior: EnumeratesProcesses
PID:5028 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"18⤵PID:5080
-
C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exeC:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN19⤵
- Suspicious behavior: EnumeratesProcesses
PID:2832 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"20⤵PID:2308
-
C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exeC:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN21⤵
- Suspicious behavior: EnumeratesProcesses
PID:4092 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"22⤵PID:1176
-
C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exeC:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN23⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4180 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"24⤵
- System Location Discovery: System Language Discovery
PID:1968 -
C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exeC:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN25⤵
- Suspicious behavior: EnumeratesProcesses
PID:4232 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"26⤵
- System Location Discovery: System Language Discovery
PID:32 -
C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exeC:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN27⤵
- Suspicious behavior: EnumeratesProcesses
PID:4608 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"28⤵PID:1584
-
C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exeC:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN29⤵
- Suspicious behavior: EnumeratesProcesses
PID:2968 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"30⤵PID:1712
-
C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exeC:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN31⤵
- Suspicious behavior: EnumeratesProcesses
PID:4640 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"32⤵PID:2728
-
C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exeC:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN33⤵PID:2932
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"34⤵PID:2260
-
C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exeC:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN35⤵PID:1368
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"36⤵PID:4560
-
C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exeC:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN37⤵PID:384
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"38⤵PID:3692
-
C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exeC:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN39⤵
- System Location Discovery: System Language Discovery
PID:768 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"40⤵PID:3396
-
C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exeC:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN41⤵PID:4304
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"42⤵PID:720
-
C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exeC:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN43⤵PID:4760
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"44⤵
- System Location Discovery: System Language Discovery
PID:3696 -
C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exeC:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN45⤵PID:2788
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"46⤵PID:1172
-
C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exeC:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN47⤵
- System Location Discovery: System Language Discovery
PID:396 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"48⤵PID:1176
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV149⤵PID:512
-
-
C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exeC:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN49⤵PID:1220
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"50⤵PID:1300
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV151⤵PID:4036
-
-
C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exeC:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN51⤵PID:2336
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"52⤵PID:720
-
C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exeC:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN53⤵PID:2308
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"54⤵PID:1068
-
C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exeC:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN55⤵PID:1464
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"56⤵PID:4608
-
C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exeC:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN57⤵PID:3364
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"58⤵
- System Location Discovery: System Language Discovery
PID:2204 -
C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exeC:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN59⤵PID:4228
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"60⤵PID:1884
-
C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exeC:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN61⤵PID:4280
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"62⤵PID:3144
-
C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exeC:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN63⤵PID:3544
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"64⤵PID:2440
-
C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exeC:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN65⤵PID:2372
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"66⤵PID:3972
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV167⤵PID:4404
-
-
C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exeC:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN67⤵PID:2484
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"68⤵PID:3312
-
C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exeC:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN69⤵PID:1060
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"70⤵PID:3688
-
C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exeC:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN71⤵PID:4464
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"72⤵PID:5092
-
C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exeC:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN73⤵PID:4304
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"74⤵PID:5036
-
C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exeC:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN75⤵PID:2040
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"76⤵PID:4580
-
C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exeC:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN77⤵PID:3052
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"78⤵PID:3512
-
C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exeC:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN79⤵PID:2028
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"80⤵PID:1168
-
C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exeC:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN81⤵PID:3500
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"82⤵PID:4940
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV183⤵PID:1796
-
-
C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exeC:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN83⤵PID:1360
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"84⤵PID:220
-
C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exeC:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN85⤵PID:1604
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"86⤵PID:4804
-
C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exeC:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN87⤵PID:3808
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"88⤵PID:4756
-
C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exeC:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN89⤵PID:3076
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"90⤵
- System Location Discovery: System Language Discovery
PID:1168 -
C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exeC:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN91⤵PID:512
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"92⤵PID:5100
-
C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exeC:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN93⤵PID:4200
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"94⤵PID:3636
-
C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exeC:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN95⤵PID:3888
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"96⤵PID:2364
-
C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exeC:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN97⤵PID:1176
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"98⤵PID:1064
-
C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exeC:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN99⤵PID:4632
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"100⤵PID:3148
-
C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exeC:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN101⤵PID:1220
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"102⤵PID:1876
-
C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exeC:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN103⤵PID:3664
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"104⤵PID:4732
-
C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exeC:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN105⤵PID:2336
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"106⤵
- System Location Discovery: System Language Discovery
PID:1096 -
C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exeC:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN107⤵PID:3748
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"108⤵PID:676
-
C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exeC:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN109⤵PID:4404
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"110⤵PID:2948
-
C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exeC:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN111⤵PID:2256
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"112⤵PID:3888
-
C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exeC:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN113⤵PID:3364
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"114⤵PID:2980
-
C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exeC:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN115⤵
- System Location Discovery: System Language Discovery
PID:4228 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"116⤵
- System Location Discovery: System Language Discovery
PID:3204 -
C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exeC:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN117⤵PID:4808
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"118⤵
- System Location Discovery: System Language Discovery
PID:2148 -
C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exeC:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN119⤵PID:972
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"120⤵PID:2948
-
C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN.exeC:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN121⤵PID:2260
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\95732cd02e4cb60c30d720c624d5dddf0e289eb67ba6972a35731e863d65290cN"122⤵PID:1248
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-