Analysis
-
max time kernel
30s -
max time network
21s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
07-12-2024 18:41
Behavioral task
behavioral1
Sample
2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe
Resource
win10v2004-20241007-en
General
-
Target
2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe
-
Size
620KB
-
MD5
133d351d37afbfb27c39b6f87d734550
-
SHA1
a0b907130e2758e1c15a504f19782e34a8867a69
-
SHA256
2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0f
-
SHA512
cbd1db3954c3e8266264313c7698b53f01b4f2850814d1c5a7807962e4671ca732c1b920103bc50bf3097dbde868311d14b55093f6ee8a6d575d976b0f87694d
-
SSDEEP
12288:3QveDfL7VwmhkKTU2N/cvC888888888888W88888888888FzX:3QmDffVwmhcIcG
Malware Config
Signatures
-
Detect Neshta payload 64 IoCs
resource yara_rule behavioral1/files/0x0008000000015fa6-2.dat family_neshta behavioral1/files/0x00070000000160da-12.dat family_neshta behavioral1/memory/2892-106-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2460-204-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1964-220-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/856-236-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2772-260-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2904-300-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2256-308-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1392-316-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2180-324-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2832-323-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2616-315-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2948-307-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1528-299-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2140-292-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2920-291-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/560-284-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2164-283-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2020-276-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2648-275-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1568-268-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2896-267-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2748-259-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2572-252-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2072-251-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2792-244-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2888-243-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2132-235-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1588-228-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/484-227-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/376-219-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1632-212-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/908-211-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1968-203-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2380-196-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2356-195-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1340-188-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1244-187-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1392-180-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1812-179-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1940-172-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/924-171-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2188-164-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1792-163-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2140-156-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2172-155-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2916-148-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2908-147-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1876-134-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2876-133-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/320-120-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1148-119-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/824-105-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2240-92-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1864-91-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2568-78-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/3040-77-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2888-64-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2676-63-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1800-50-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2024-49-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/856-36-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2820-35-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Neshta family
-
Executes dropped EXE 64 IoCs
pid Process 2360 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe 2340 svchost.com 2264 2BE3D8~1.EXE 856 svchost.com 2820 2BE3D8~1.EXE 1800 svchost.com 2024 2BE3D8~1.EXE 2888 svchost.com 2676 2BE3D8~1.EXE 2568 svchost.com 3040 2BE3D8~1.EXE 2240 svchost.com 1864 2BE3D8~1.EXE 2892 svchost.com 824 2BE3D8~1.EXE 320 svchost.com 1148 2BE3D8~1.EXE 1876 svchost.com 2876 2BE3D8~1.EXE 2916 svchost.com 2908 2BE3D8~1.EXE 2140 svchost.com 2172 2BE3D8~1.EXE 2188 svchost.com 1792 2BE3D8~1.EXE 1940 svchost.com 924 2BE3D8~1.EXE 1392 svchost.com 1812 2BE3D8~1.EXE 1340 svchost.com 1244 2BE3D8~1.EXE 2380 svchost.com 2356 2BE3D8~1.EXE 2460 svchost.com 1968 2BE3D8~1.EXE 1632 svchost.com 908 2BE3D8~1.EXE 1964 svchost.com 376 2BE3D8~1.EXE 1588 svchost.com 484 2BE3D8~1.EXE 856 svchost.com 2132 2BE3D8~1.EXE 2792 svchost.com 2888 2BE3D8~1.EXE 2572 svchost.com 2072 2BE3D8~1.EXE 2772 svchost.com 2748 2BE3D8~1.EXE 1568 svchost.com 2896 2BE3D8~1.EXE 2020 svchost.com 2648 2BE3D8~1.EXE 560 svchost.com 2164 2BE3D8~1.EXE 2140 svchost.com 2920 2BE3D8~1.EXE 2904 svchost.com 1528 2BE3D8~1.EXE 2256 svchost.com 2948 2BE3D8~1.EXE 1392 svchost.com 2616 2BE3D8~1.EXE 2180 svchost.com -
Loads dropped DLL 64 IoCs
pid Process 2336 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe 2336 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe 2340 svchost.com 2340 svchost.com 856 svchost.com 856 svchost.com 1800 svchost.com 1800 svchost.com 2888 svchost.com 2888 svchost.com 2568 svchost.com 2568 svchost.com 2240 svchost.com 2240 svchost.com 2892 svchost.com 2892 svchost.com 320 svchost.com 320 svchost.com 1876 svchost.com 1876 svchost.com 2916 svchost.com 2916 svchost.com 2140 svchost.com 2140 svchost.com 2188 svchost.com 2188 svchost.com 1940 svchost.com 1940 svchost.com 1392 svchost.com 1392 svchost.com 1340 svchost.com 1340 svchost.com 2380 svchost.com 2380 svchost.com 2460 svchost.com 2460 svchost.com 1632 svchost.com 1632 svchost.com 1964 svchost.com 1964 svchost.com 1588 svchost.com 1588 svchost.com 856 svchost.com 856 svchost.com 2792 svchost.com 2792 svchost.com 2572 svchost.com 2572 svchost.com 2772 svchost.com 2772 svchost.com 1568 svchost.com 1568 svchost.com 2020 svchost.com 2020 svchost.com 560 svchost.com 560 svchost.com 2140 svchost.com 2140 svchost.com 2904 svchost.com 2904 svchost.com 2256 svchost.com 2256 svchost.com 1392 svchost.com 1392 svchost.com -
Modifies system executable filetype association 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\WINDOW~1\WinMail.exe 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\WI4223~1\sidebar.exe 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com 2BE3D8~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com 2BE3D8~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys 2BE3D8~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys 2BE3D8~1.EXE File opened for modification C:\Windows\svchost.com 2BE3D8~1.EXE File opened for modification C:\Windows\directx.sys 2BE3D8~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys 2BE3D8~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com 2BE3D8~1.EXE File opened for modification C:\Windows\svchost.com 2BE3D8~1.EXE File opened for modification C:\Windows\svchost.com 2BE3D8~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com 2BE3D8~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com 2BE3D8~1.EXE File opened for modification C:\Windows\svchost.com 2BE3D8~1.EXE File opened for modification C:\Windows\directx.sys 2BE3D8~1.EXE File opened for modification C:\Windows\svchost.com 2BE3D8~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com 2BE3D8~1.EXE File opened for modification C:\Windows\svchost.com 2BE3D8~1.EXE File opened for modification C:\Windows\directx.sys 2BE3D8~1.EXE File opened for modification C:\Windows\directx.sys 2BE3D8~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys 2BE3D8~1.EXE File opened for modification C:\Windows\directx.sys 2BE3D8~1.EXE File opened for modification C:\Windows\svchost.com 2BE3D8~1.EXE File opened for modification C:\Windows\svchost.com 2BE3D8~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys 2BE3D8~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com 2BE3D8~1.EXE File opened for modification C:\Windows\svchost.com 2BE3D8~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com 2BE3D8~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys 2BE3D8~1.EXE File opened for modification C:\Windows\svchost.com 2BE3D8~1.EXE File opened for modification C:\Windows\directx.sys 2BE3D8~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com 2BE3D8~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com 2BE3D8~1.EXE File opened for modification C:\Windows\directx.sys 2BE3D8~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys 2BE3D8~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2BE3D8~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2BE3D8~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2BE3D8~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2BE3D8~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2BE3D8~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2BE3D8~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2BE3D8~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2BE3D8~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2BE3D8~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2BE3D8~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2BE3D8~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2BE3D8~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2BE3D8~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2BE3D8~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2BE3D8~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2BE3D8~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2BE3D8~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2BE3D8~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2BE3D8~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2BE3D8~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2BE3D8~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2BE3D8~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2BE3D8~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2BE3D8~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2BE3D8~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2BE3D8~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2BE3D8~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2BE3D8~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2BE3D8~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2BE3D8~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2BE3D8~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2BE3D8~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2BE3D8~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2BE3D8~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2BE3D8~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2BE3D8~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2BE3D8~1.EXE -
Modifies registry class 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2336 wrote to memory of 2360 2336 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe 31 PID 2336 wrote to memory of 2360 2336 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe 31 PID 2336 wrote to memory of 2360 2336 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe 31 PID 2336 wrote to memory of 2360 2336 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe 31 PID 2360 wrote to memory of 2340 2360 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe 32 PID 2360 wrote to memory of 2340 2360 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe 32 PID 2360 wrote to memory of 2340 2360 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe 32 PID 2360 wrote to memory of 2340 2360 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe 32 PID 2340 wrote to memory of 2264 2340 svchost.com 33 PID 2340 wrote to memory of 2264 2340 svchost.com 33 PID 2340 wrote to memory of 2264 2340 svchost.com 33 PID 2340 wrote to memory of 2264 2340 svchost.com 33 PID 2264 wrote to memory of 856 2264 2BE3D8~1.EXE 34 PID 2264 wrote to memory of 856 2264 2BE3D8~1.EXE 34 PID 2264 wrote to memory of 856 2264 2BE3D8~1.EXE 34 PID 2264 wrote to memory of 856 2264 2BE3D8~1.EXE 34 PID 856 wrote to memory of 2820 856 svchost.com 35 PID 856 wrote to memory of 2820 856 svchost.com 35 PID 856 wrote to memory of 2820 856 svchost.com 35 PID 856 wrote to memory of 2820 856 svchost.com 35 PID 2820 wrote to memory of 1800 2820 2BE3D8~1.EXE 36 PID 2820 wrote to memory of 1800 2820 2BE3D8~1.EXE 36 PID 2820 wrote to memory of 1800 2820 2BE3D8~1.EXE 36 PID 2820 wrote to memory of 1800 2820 2BE3D8~1.EXE 36 PID 1800 wrote to memory of 2024 1800 svchost.com 37 PID 1800 wrote to memory of 2024 1800 svchost.com 37 PID 1800 wrote to memory of 2024 1800 svchost.com 37 PID 1800 wrote to memory of 2024 1800 svchost.com 37 PID 2024 wrote to memory of 2888 2024 2BE3D8~1.EXE 38 PID 2024 wrote to memory of 2888 2024 2BE3D8~1.EXE 38 PID 2024 wrote to memory of 2888 2024 2BE3D8~1.EXE 38 PID 2024 wrote to memory of 2888 2024 2BE3D8~1.EXE 38 PID 2888 wrote to memory of 2676 2888 svchost.com 39 PID 2888 wrote to memory of 2676 2888 svchost.com 39 PID 2888 wrote to memory of 2676 2888 svchost.com 39 PID 2888 wrote to memory of 2676 2888 svchost.com 39 PID 2676 wrote to memory of 2568 2676 2BE3D8~1.EXE 40 PID 2676 wrote to memory of 2568 2676 2BE3D8~1.EXE 40 PID 2676 wrote to memory of 2568 2676 2BE3D8~1.EXE 40 PID 2676 wrote to memory of 2568 2676 2BE3D8~1.EXE 40 PID 2568 wrote to memory of 3040 2568 svchost.com 41 PID 2568 wrote to memory of 3040 2568 svchost.com 41 PID 2568 wrote to memory of 3040 2568 svchost.com 41 PID 2568 wrote to memory of 3040 2568 svchost.com 41 PID 3040 wrote to memory of 2240 3040 2BE3D8~1.EXE 42 PID 3040 wrote to memory of 2240 3040 2BE3D8~1.EXE 42 PID 3040 wrote to memory of 2240 3040 2BE3D8~1.EXE 42 PID 3040 wrote to memory of 2240 3040 2BE3D8~1.EXE 42 PID 2240 wrote to memory of 1864 2240 svchost.com 43 PID 2240 wrote to memory of 1864 2240 svchost.com 43 PID 2240 wrote to memory of 1864 2240 svchost.com 43 PID 2240 wrote to memory of 1864 2240 svchost.com 43 PID 1864 wrote to memory of 2892 1864 2BE3D8~1.EXE 105 PID 1864 wrote to memory of 2892 1864 2BE3D8~1.EXE 105 PID 1864 wrote to memory of 2892 1864 2BE3D8~1.EXE 105 PID 1864 wrote to memory of 2892 1864 2BE3D8~1.EXE 105 PID 2892 wrote to memory of 824 2892 svchost.com 127 PID 2892 wrote to memory of 824 2892 svchost.com 127 PID 2892 wrote to memory of 824 2892 svchost.com 127 PID 2892 wrote to memory of 824 2892 svchost.com 127 PID 824 wrote to memory of 320 824 2BE3D8~1.EXE 46 PID 824 wrote to memory of 320 824 2BE3D8~1.EXE 46 PID 824 wrote to memory of 320 824 2BE3D8~1.EXE 46 PID 824 wrote to memory of 320 824 2BE3D8~1.EXE 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe"C:\Users\Admin\AppData\Local\Temp\2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe"1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE10⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE12⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:824 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:320 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE18⤵
- Executes dropped EXE
PID:1148 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1876 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE20⤵
- Executes dropped EXE
PID:2876 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2916 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE22⤵
- Executes dropped EXE
PID:2908 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2140 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE24⤵
- Executes dropped EXE
PID:2172 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2188 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE26⤵
- Executes dropped EXE
PID:1792 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1940 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE28⤵
- Executes dropped EXE
PID:924 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1392 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE30⤵
- Executes dropped EXE
PID:1812 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1340 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE32⤵
- Executes dropped EXE
PID:1244 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"33⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2380 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE34⤵
- Executes dropped EXE
PID:2356 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"35⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2460 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE36⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"37⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1632 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE38⤵
- Executes dropped EXE
PID:908 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"39⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1964 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE40⤵
- Executes dropped EXE
PID:376 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"41⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1588 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE42⤵
- Executes dropped EXE
PID:484 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"43⤵
- Executes dropped EXE
- Loads dropped DLL
PID:856 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE44⤵
- Executes dropped EXE
PID:2132 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"45⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2792 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE46⤵
- Executes dropped EXE
PID:2888 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"47⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2572 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE48⤵
- Executes dropped EXE
PID:2072 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"49⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2772 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE50⤵
- Executes dropped EXE
PID:2748 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"51⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1568 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE52⤵
- Executes dropped EXE
PID:2896 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"53⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2020 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE54⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"55⤵
- Executes dropped EXE
- Loads dropped DLL
PID:560 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2164 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"57⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2140 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE58⤵
- Executes dropped EXE
PID:2920 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"59⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2904 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE60⤵
- Executes dropped EXE
PID:1528 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"61⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2256 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE62⤵
- Executes dropped EXE
PID:2948 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"63⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1392 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE64⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"65⤵
- Executes dropped EXE
PID:2180 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE66⤵PID:2832
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"67⤵PID:2120
-
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE68⤵PID:1992
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"69⤵PID:1632
-
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE70⤵PID:1964
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"71⤵PID:3020
-
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE72⤵
- System Location Discovery: System Language Discovery
PID:316 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"73⤵PID:1748
-
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE74⤵
- System Location Discovery: System Language Discovery
PID:2348 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"75⤵
- System Location Discovery: System Language Discovery
PID:1484 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE76⤵PID:2892
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"77⤵PID:2912
-
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE78⤵PID:1568
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"79⤵PID:2080
-
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE80⤵PID:2856
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"81⤵PID:2700
-
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE82⤵PID:1324
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"83⤵PID:3012
-
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE84⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2688 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"85⤵PID:1284
-
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE86⤵PID:2756
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"87⤵
- System Location Discovery: System Language Discovery
PID:1872 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE88⤵PID:2224
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"89⤵PID:1696
-
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE90⤵PID:2796
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"91⤵
- System Location Discovery: System Language Discovery
PID:400 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE92⤵PID:1648
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"93⤵PID:1780
-
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE94⤵PID:2300
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"95⤵PID:2808
-
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE96⤵
- Drops file in Windows directory
PID:1628 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"97⤵PID:896
-
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE98⤵PID:824
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"99⤵
- System Location Discovery: System Language Discovery
PID:1756 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE100⤵PID:1968
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"101⤵PID:2132
-
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE102⤵PID:2104
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"103⤵PID:3056
-
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE104⤵PID:868
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"105⤵PID:1964
-
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE106⤵
- System Location Discovery: System Language Discovery
PID:2052 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"107⤵
- System Location Discovery: System Language Discovery
PID:2124 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE108⤵PID:1580
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"109⤵PID:2852
-
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE110⤵PID:2252
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"111⤵PID:1224
-
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE112⤵PID:2232
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"113⤵
- Drops file in Windows directory
PID:3036 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE114⤵PID:1808
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"115⤵PID:2296
-
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE116⤵PID:2712
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"117⤵PID:1416
-
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE118⤵PID:1048
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"119⤵PID:2372
-
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE120⤵PID:2656
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"121⤵PID:280
-
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE122⤵PID:928
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-